We present an ongoing project on reasoning on properties of distributed systems based on monitoring of their executions. The proposed approach uses SDL to model an execution trace of the system under test and an existing model checker to perform the analysis of properties of interest specified in the SDL-like language GOAL. For this purpose, we use the available ObjectGEODE tool set. We describe how SDL models are built from collected traces, and show how the desired properties are specified. An example is used to illustrate the approach. The proposed methodology can be applied to test distributed systems and to diagnose their faults. 1

Abstract: ENUM is a technology based on a procedure that assigns a sequence of traditional telephone numbers to Internet domain names. It specifies a rule that makes it possible to relate a domain to a telephone number without any risk of ambiguity. This domain can then be used to identify various communication services like fax, mobile phone numbers, voice-mail systems, e-mail addresses, IP telephone addresses, web pages, GPS coordinates, call diverts or unified messaging. In our paper we deal with three main problem areas in connection with the business model of the ENUM service and with the introduction of new services, i.e. the questions of tariffs, legal regulations and financial return. For the ENUM procedure to spread out in use specific services have to be implemented that can exploit the advantages of the ENUM and efficient methods have to be elaborated to base existing services on ENUM. We will outline the two new services invented by our group and that we have implemented in our project.

Denial-of-Service (DoS) attacks remain a challenging problem in the Internet. In a DoS attack the attacker is attempting to make a resource unavailable to its intended legitimate clients. Furthermore, in order to employ massive attack power, the attacker usually launches a distributed denial of service (DDoS) attack, in which several subordinate hosts attack the target in concert. Denial-of-service attacks can result in significant loss of time and money for many organizations, thus, many defense mechanisms have been proposed. In this paper we propose a novel approach for detecting DoS attackers, which we call live baiting. Live baiting leverages group-testing theory, which aims at discovering defective members in a population using the minimum number of “tests”, to detect attackers with the minimum state. We analyzed the coverage, effectiveness, in terms of false positive and false negative probabilities, and efficiency, in terms of memory, message overhead, and computational complexity, of our approach. We validated our analysis using NS-2 simulations modeled after real Web traces. Live baiting detected hundreds of DoS attackers against a Web service within 90 seconds, with few false positives and almost zero false negatives. Moreover, live baiting substantially reduced the amount of state needed to detect DoS attackers, from order of total number of clients to order of number of attackers. This saving allows live baiting to scale to large services with millions of clients.

Abstract – After the ARP and IP were drafted, a subtle weakness in the Address Resolution Protocol was discovered. Unlike TCP, ARP relies on raw sockets and like UDP; ARP provides no means to establish the authenticity of the source of incoming packets. Although this problem can be resolved in case of UDP packets by considering alternate approaches such as DNS replies being sent over TCP rather than UDP using the DNSSEC architecture so that false DNS replies may not be accepted by a host; ARP is still prone to similar attacks. This paper identifies known weaknesses of the ARP and analyses the impact of a network flooding utility developed by us, the underlying ideology of which is this very weakness of the ARP. The purpose of our implementation is to extend what conventional tools can do, by incorporating a network flooding module in it, and to simulate a flooded network where hosts are forced to broadcast outgoing packets to the entire network. In some network conditions, the gateway may also be brought into broadcast mode, leading to undesired results. Various attack strategies are considered and the network performance during these attacks is measured. We also reveal a strategy by which ICMP replies are received by a host trying to PING a destination, but the host fails to recognize these replies. Such a weakness in the ICMP can lead to erroneous network management.

Intrusion detection (Crothers, 2002; Schultz, Endorf, & Mellander, 2003) is the process of identifying and responding to suspicious activities targeted at computing and communication resources. An intrusion detection system (IDS) monitors and collects data from a target system that should be protected, processes and correlates the gathered information, and initiates responses when evidence of an intrusion is detected. Depending on their source of input, IDSs can be classified in to network-based systems and host-based systems. Network-based intrusion detection systems (NIDSs) collec

Computer attacks are here to stay. The best we can do is detect and tolerate them. With attacks becoming more sophisticated and prevalent, especially the unknown ones, we cannot afford to tackle them individually. We need to rule them out on a wholesale basis. The increasing frequency of automated attacks and worm outbreaks demand automated responses. This research presents a thorough overview of the existing literature in addressing these requirements and provides new ideas and approaches to overcome their shortcomings. The key parts of this research are: formal verification of security of a network, an automated response framework for enterprises and strategies to deal with widespread attacks such as worms. Together, these components in conjunction with the established defense systems can provide complete protection against known and unknown attacks.